openldap-technical

openldap-technical@openldap.org

21 participants
9802 discussions

Locking SAMBA ccounts with LDAP backend‏
by Michael Starling 12 Jul '11

12 Jul '11

Hello. Is it possible to have SAMBA respect PAM so that when an LDAP accounts gets locked out the SAMBA account simultaneously gets locked out as well? All my windows clients are either 2003 or 2008 servers and if I understand the blurbs below in the samba man page, the "encrypted password" directive must be set to yes in order for Windows machines to authenticate against SAMBA, however if "encrypted passwords" is set to yes then SAMBA will ignore the directive "obey pam restrictions". Is there any way around this? I'm sure you'll let me know if this question is better suited for the samba lists. OS: RHEL 5.5 x64 samba3x-3.5.4-0.70.el5_6.1 openldap-2.3.43-12.el5_6.7 obey pam restrictions (G) When Samba 3.0 is configured to enable PAM support (i.e. --with-pam), this parameter will control whether or not Samba should obey PAMÂ´s account and session management directives. The default behavior is to use PAM for clear text authentication only and to ignore any account or session management. Note that Samba always ignores PAM for authentication in the case of encrypt passwords = yes. The reason is that PAM modules cannot support the challenge/response authentication mechanism needed in the presence of SMB password encryption. encrypt passwords (G) This boolean controls whether encrypted passwords will be negotiated with the client. Note that Windows NT 4.0 SP3 and above and also Windows 98 will by default expect encrypted passwords unless a registry entry is changed. To use encrypted passwords in Samba see the chapter "User Database" in the Samba HOWTO Collection. MS Windows clients that expect Microsoft encrypted passwords and that do not have plain text password support enabled will be able to connect only to a Samba server that has encrypted password support enabled and for which the user accounts have a valid encrypted password. Refer to the smbpasswd command man page for information regarding the creation of encrypted passwords for user accounts. The use of plain text passwords is NOT advised as support for this feature is no longer maintained in Microsoft Windows products. If you want to use plain text passwords you must set this parameter to no. In order for encrypted passwords to work correctly smbd(8) must either have access to a local smbpasswd(5) file (see the smbpasswd(8) program for information on how to set up and maintain this file), or set the security = [server|domain|ads] parameter which causes smbd to authenticate against another server. -Mike

2 2

getent passwd always return 1065 users
by Oliver Schulze L. 11 Jul '11

11 Jul '11

Hi, I have a openldap server in RHEL4 and after the latest update I can only get 1065 users from the command getent passwd: getent passwd | wc -l I have like 15k users. Slapcat list them all. Where should I look for a solution? In the cache size of the DBD, in /etc/ldap.conf, in slapd.conf? Many thanks Oliver -- Oliver Schulze L. Asuncion - Paraguay http://tinymailto.com/oliver

3 3

RE: Multi Master OpenLdap.
by arun.sasi1＠wipro.com 11 Jul '11

11 Jul '11

And also I could see below message nonpresent_callback: rid=003 present UUI Thanks, -Arun From: Arun Sasi V (WI01 - Manage IT) Sent: Monday, July 11, 2011 1:36 PM To: 'E.S. Rosenberg' Cc: openldap-technical(a)openldap.org Subject: RE: Multi Master OpenLdap. Thank you very much Eli for concidering my issue. Here is my scenario... I couldn’t find any abnormality in log files and also I never seen any deletion logs in the server. Slapd will go for hang and some ID`s will get disappear same will be replicate to slaves too. Mainly Groups and Computer accounts I can see some UNBIND and connection lost logs from one server and another multimaster server from Jul 11 04:03:39 gb0135embldap01 slapd[9852]: conn=138411 op=24 SEARCH RESULT tag=101 err=32 nentries=0 text= Jul 11 04:03:39 gb0135embldap01 slapd[9852]: conn=138424 op=12 SRCH base="ou=Groups,dc=emb,dc=slb,dc=com" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(gidNumber=65534))" Jul 11 04:03:39 gb0135embldap01 slapd[9852]: conn=138424 op=12 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass Jul 11 04:03:39 gb0135embldap01 slapd[9852]: conn=138424 op=12 SEARCH RESULT tag=101 err=0 nentries=0 text= Jul 11 04:03:39 gb0135embldap01 slapd[9852]: conn=138415 op=21 SRCH base="sambaDomainName=EMB,sambaDomainName=emb,dc=emb,dc=slb,dc=com" scope=2 deref=0 filter="(&(objectClass=sambaTrustedDomainPassword)(sambaDomainName=emb))" Jul 11 04:03:39 gb0135embldap01 slapd[9852]: conn=138415 op=21 SEARCH RESULT tag=101 err=32 nentries=0 text= Jul 11 04:03:39 gb0135embldap01 slapd[9852]: conn=138385 op=46 SRCH base="ou=Groups,dc=emb,dc=slb,dc=com" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(|(displayName=test)(cn=test)))" Jul 11 04:03:39 gb0135embldap01 slapd[9852]: conn=138385 op=46 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass Jul 11 04:03:39 gb0135embldap01 slapd[9852]: <= bdb_equality_candidates: (displayName) not indexed Jul 11 04:03:39 gb0135embldap01 slapd[9852]: <= bdb_equality_candidates: (cn) not indexed Jul 11 04:07:53 gb0135embldap01 slapd[21335]: @(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:07:59) $ ^Ibuildd@yellow:/build/buildd/openldap-2.4.15/debian/build/servers/slapd Jul 11 04:07:54 gb0135embldap01 slapd[21337]: slapd starting Jul 11 04:07:54 gb0135embldap01 slapd[21337]: conn=0 fd=23 ACCEPT from IP=[::1]:57016 (IP=[::]:389) Jul 11 04:07:54 gb0135embldap01 slapd[21337]: conn=1 fd=24 ACCEPT from IP=134.32.44.37:40763 (IP=0.0.0.0:389) OLCDATABSE dn: olcDatabase={1}hdb objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=emb,dc=slb,dc=com olcAccess: {0}to attrs=userPassword,shadowLastChange,sambaLMPassword,sambaNTPassword by dn="cn=admin,dc=emb,dc=slb,dc=com" write by dn="cn=sunone-replication,dc=emb,dc=slb,dc=com" peername.ip=136.250.9.48 write by dn="cn=sunone-replication,dc=emb,dc=slb,dc=com" peername.ip=163.185.18.238 write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read #Enable Local Admin to add users in the Group and also SunOne to add users to country groups olcAccess: {2}to dn.subtree="ou=groups,dc=emb,dc=slb,dc=com" by set="user/uid & [cn=group-admin,ou=SuperGroups,dc=emb,dc=slb,dc=com]/memberuid" write by dn="cn=sunone-replication,dc=emb,dc=slb,dc=com" peername.ip=136.250.9.48 write by dn="cn=sunone-replication,dc=emb,dc=slb,dc=com" peername.ip=163.185.18.238 write by * read #Enable Local Admin to add computers olcAccess: {3}to dn.subtree="ou=Computers,dc=emb,dc=slb,dc=com" by set="user/uid & [cn=group-admin,ou=SuperGroups,dc=emb,dc=slb,dc=com]/memberuid" write by * read #Enable shell-admin to set up local user access olcAccess: {4}to attrs=loginShell,homeDirectory by set="user/uid & [cn=shell-admin,ou=SuperGroups,dc=emb,dc=slb,dc=com]/memberuid" write by dn="cn=sunone-replication,dc=emb,dc=slb,dc=com" peername.ip=136.250.9.48 write by dn="cn=sunone-replication,dc=emb,dc=slb,dc=com" peername.ip=163.185.18.238 write by * read #Enable write access to account sun-one-replication for sun ldap replication. olcAccess: {5}to * by dn="cn=admin,dc=emb,dc=slb,dc=com" write by dn="cn=sunone-replication,dc=emb,dc=slb,dc=com" peername.ip=136.250.9.48 write by dn="cn=sunone-replication,dc=emb,dc=slb,dc=com" peername.ip=163.185.18.238 write by * read olcLastMod: TRUE olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcDbIndex: entryUUID eq olcDbIndex: uidNumber eq olcDbIndex: gidNumber eq olcDbIndex: gidNumber eq olcDbIndex: loginShell eq olcDbIndex: uid eq,pres,sub olcDbIndex: memberUid eq,pres,sub olcDbIndex: uniqueMember eq,pres olcDbIndex: sambaSID eq olcDbIndex: sambaPrimaryGroupSID eq olcDbIndex: sambaGroupType eq olcDbIndex: sambaSIDList eq olcDbIndex: sambaDomainName eq olcDbIndex: default sub structuralObjectClass: olcHdbConfig entryUUID: f479600a-5f34-102f-8ddd-3ff046e70702 creatorsName: cn=admin,cn=config createTimestamp: 20100928101442Z olcRootDN: cn=admin,dc=emb,dc=slb,dc=com olcSyncrepl: {0}rid=003 provider=ldap://gb0135embldap01.emb.slb.com binddn="cn =admin,dc=emb,dc=slb,dc=com" bindmethod=simple credentials=Bsl@121z searchbas e="dc=emb,dc=slb,dc=com" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 starttls=yes olcSyncrepl: {1}rid=004 provider=ldap://ae0042embldap01.emb.slb.com binddn="cn =admin,dc=emb,dc=slb,dc=com" bindmethod=simple credentials=Bsl@121z searchbas e="dc=emb,dc=slb,dc=com" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 starttls=yes olcMirrorMode: TRUE entryCSN: 20100928191927.932499Z#000000#001#000000 modifiersName: cn=admin,cn=config modifyTimestamp: 20100928191927Z Ldap Version @(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:07:59) $ Operating system Distributor ID: Ubuntu Description: Ubuntu 9.04 Release: 9.04 Codename: jaunty Thanks, -Arun -----Original Message----- From: E.S. Rosenberg [mailto:esr@g.jct.ac.il] Sent: Monday, July 11, 2011 12:58 PM To: Arun Sasi V (WI01 - Manage IT) Cc: openldap-technical(a)openldap.org Subject: Re: Multi Master OpenLdap. Have you tried raising the loglevel? Are the schemas the same between the servers? Is time in sync between the servers? What versions are you dealing with? You don't provide a lot of info and most of us are not clairvoyant.... Regards, Eli 2011/7/11 <arun.sasi1(a)wipro.com>: > > > > > Thanks, > > -Arun > > > > From: Arun Sasi V (WI01 - Manage IT) > Sent: Wednesday, July 06, 2011 5:46 PM > To: 'openldap-technical(a)openldap.org' > Subject: Multi Master OpenLdap. > > > > Hello Team, > > > > I have configured Multi-master Mirror mode replica setup in our environment. > We have 3 regions slave Ldap server which is read only and two location we > have configured as mirror mode replica Ldap. My problem here is… > > > > Master Ldap is going hang some times and some ID`s are disappearing from the > master server. I couldn’t find any logs over there for why ID`s are > disappearing and also why Ldap is going hung state. > > > > Thanks & Regards, > > Arun Sasi V > > Please do not print this email unless it is absolutely necessary. > > The information contained in this electronic message and any attachments to > this message are intended for the exclusive use of the addressee(s) and may > contain proprietary, confidential or privileged information. If you are not > the intended recipient, you should not disseminate, distribute or copy this > e-mail. Please notify the sender immediately and destroy all copies of this > message and any attachments. > > WARNING: Computer viruses can be transmitted via email. The recipient should > check this email and any attachments for the presence of viruses. The > company accepts no liability for any damage caused by any virus transmitted > by this email. > > www.wipro.com Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com

1 0

RE: Multi Master OpenLdap.
by arun.sasi1＠wipro.com 11 Jul '11

11 Jul '11

Thank you very much Eli for concidering my issue. Here is my scenario... I couldn’t find any abnormality in log files and also I never seen any deletion logs in the server. Slapd will go for hang and some ID`s will get disappear same will be replicate to slaves too. Mainly Groups and Computer accounts I can see some UNBIND and connection lost logs from one server and another multimaster server from Jul 11 04:03:39 gb0135embldap01 slapd[9852]: conn=138411 op=24 SEARCH RESULT tag=101 err=32 nentries=0 text= Jul 11 04:03:39 gb0135embldap01 slapd[9852]: conn=138424 op=12 SRCH base="ou=Groups,dc=emb,dc=slb,dc=com" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(gidNumber=65534))" Jul 11 04:03:39 gb0135embldap01 slapd[9852]: conn=138424 op=12 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass Jul 11 04:03:39 gb0135embldap01 slapd[9852]: conn=138424 op=12 SEARCH RESULT tag=101 err=0 nentries=0 text= Jul 11 04:03:39 gb0135embldap01 slapd[9852]: conn=138415 op=21 SRCH base="sambaDomainName=EMB,sambaDomainName=emb,dc=emb,dc=slb,dc=com" scope=2 deref=0 filter="(&(objectClass=sambaTrustedDomainPassword)(sambaDomainName=emb))" Jul 11 04:03:39 gb0135embldap01 slapd[9852]: conn=138415 op=21 SEARCH RESULT tag=101 err=32 nentries=0 text= Jul 11 04:03:39 gb0135embldap01 slapd[9852]: conn=138385 op=46 SRCH base="ou=Groups,dc=emb,dc=slb,dc=com" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(|(displayName=test)(cn=test)))" Jul 11 04:03:39 gb0135embldap01 slapd[9852]: conn=138385 op=46 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass Jul 11 04:03:39 gb0135embldap01 slapd[9852]: <= bdb_equality_candidates: (displayName) not indexed Jul 11 04:03:39 gb0135embldap01 slapd[9852]: <= bdb_equality_candidates: (cn) not indexed Jul 11 04:07:53 gb0135embldap01 slapd[21335]: @(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:07:59) $ ^Ibuildd@yellow:/build/buildd/openldap-2.4.15/debian/build/servers/slapd Jul 11 04:07:54 gb0135embldap01 slapd[21337]: slapd starting Jul 11 04:07:54 gb0135embldap01 slapd[21337]: conn=0 fd=23 ACCEPT from IP=[::1]:57016 (IP=[::]:389) Jul 11 04:07:54 gb0135embldap01 slapd[21337]: conn=1 fd=24 ACCEPT from IP=134.32.44.37:40763 (IP=0.0.0.0:389) OLCDATABSE dn: olcDatabase={1}hdb objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=emb,dc=slb,dc=com olcAccess: {0}to attrs=userPassword,shadowLastChange,sambaLMPassword,sambaNTPassword by dn="cn=admin,dc=emb,dc=slb,dc=com" write by dn="cn=sunone-replication,dc=emb,dc=slb,dc=com" peername.ip=136.250.9.48 write by dn="cn=sunone-replication,dc=emb,dc=slb,dc=com" peername.ip=163.185.18.238 write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read #Enable Local Admin to add users in the Group and also SunOne to add users to country groups olcAccess: {2}to dn.subtree="ou=groups,dc=emb,dc=slb,dc=com" by set="user/uid & [cn=group-admin,ou=SuperGroups,dc=emb,dc=slb,dc=com]/memberuid" write by dn="cn=sunone-replication,dc=emb,dc=slb,dc=com" peername.ip=136.250.9.48 write by dn="cn=sunone-replication,dc=emb,dc=slb,dc=com" peername.ip=163.185.18.238 write by * read #Enable Local Admin to add computers olcAccess: {3}to dn.subtree="ou=Computers,dc=emb,dc=slb,dc=com" by set="user/uid & [cn=group-admin,ou=SuperGroups,dc=emb,dc=slb,dc=com]/memberuid" write by * read #Enable shell-admin to set up local user access olcAccess: {4}to attrs=loginShell,homeDirectory by set="user/uid & [cn=shell-admin,ou=SuperGroups,dc=emb,dc=slb,dc=com]/memberuid" write by dn="cn=sunone-replication,dc=emb,dc=slb,dc=com" peername.ip=136.250.9.48 write by dn="cn=sunone-replication,dc=emb,dc=slb,dc=com" peername.ip=163.185.18.238 write by * read #Enable write access to account sun-one-replication for sun ldap replication. olcAccess: {5}to * by dn="cn=admin,dc=emb,dc=slb,dc=com" write by dn="cn=sunone-replication,dc=emb,dc=slb,dc=com" peername.ip=136.250.9.48 write by dn="cn=sunone-replication,dc=emb,dc=slb,dc=com" peername.ip=163.185.18.238 write by * read olcLastMod: TRUE olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcDbIndex: entryUUID eq olcDbIndex: uidNumber eq olcDbIndex: gidNumber eq olcDbIndex: gidNumber eq olcDbIndex: loginShell eq olcDbIndex: uid eq,pres,sub olcDbIndex: memberUid eq,pres,sub olcDbIndex: uniqueMember eq,pres olcDbIndex: sambaSID eq olcDbIndex: sambaPrimaryGroupSID eq olcDbIndex: sambaGroupType eq olcDbIndex: sambaSIDList eq olcDbIndex: sambaDomainName eq olcDbIndex: default sub structuralObjectClass: olcHdbConfig entryUUID: f479600a-5f34-102f-8ddd-3ff046e70702 creatorsName: cn=admin,cn=config createTimestamp: 20100928101442Z olcRootDN: cn=admin,dc=emb,dc=slb,dc=com olcSyncrepl: {0}rid=003 provider=ldap://gb0135embldap01.emb.slb.com binddn="cn =admin,dc=emb,dc=slb,dc=com" bindmethod=simple credentials=Bsl@121z searchbas e="dc=emb,dc=slb,dc=com" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 starttls=yes olcSyncrepl: {1}rid=004 provider=ldap://ae0042embldap01.emb.slb.com binddn="cn =admin,dc=emb,dc=slb,dc=com" bindmethod=simple credentials=Bsl@121z searchbas e="dc=emb,dc=slb,dc=com" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 starttls=yes olcMirrorMode: TRUE entryCSN: 20100928191927.932499Z#000000#001#000000 modifiersName: cn=admin,cn=config modifyTimestamp: 20100928191927Z Ldap Version @(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:07:59) $ Operating system Distributor ID: Ubuntu Description: Ubuntu 9.04 Release: 9.04 Codename: jaunty Thanks, -Arun -----Original Message----- From: E.S. Rosenberg [mailto:esr@g.jct.ac.il] Sent: Monday, July 11, 2011 12:58 PM To: Arun Sasi V (WI01 - Manage IT) Cc: openldap-technical(a)openldap.org Subject: Re: Multi Master OpenLdap. Have you tried raising the loglevel? Are the schemas the same between the servers? Is time in sync between the servers? What versions are you dealing with? You don't provide a lot of info and most of us are not clairvoyant.... Regards, Eli 2011/7/11 <arun.sasi1(a)wipro.com>: > > > > > Thanks, > > -Arun > > > > From: Arun Sasi V (WI01 - Manage IT) > Sent: Wednesday, July 06, 2011 5:46 PM > To: 'openldap-technical(a)openldap.org' > Subject: Multi Master OpenLdap. > > > > Hello Team, > > > > I have configured Multi-master Mirror mode replica setup in our environment. > We have 3 regions slave Ldap server which is read only and two location we > have configured as mirror mode replica Ldap. My problem here is… > > > > Master Ldap is going hang some times and some ID`s are disappearing from the > master server. I couldn’t find any logs over there for why ID`s are > disappearing and also why Ldap is going hung state. > > > > Thanks & Regards, > > Arun Sasi V > > Please do not print this email unless it is absolutely necessary. > > The information contained in this electronic message and any attachments to > this message are intended for the exclusive use of the addressee(s) and may > contain proprietary, confidential or privileged information. If you are not > the intended recipient, you should not disseminate, distribute or copy this > e-mail. Please notify the sender immediately and destroy all copies of this > message and any attachments. > > WARNING: Computer viruses can be transmitted via email. The recipient should > check this email and any attachments for the presence of viruses. The > company accepts no liability for any damage caused by any virus transmitted > by this email. > > www.wipro.com Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com

1 0

RE: Multi Master OpenLdap.
by arun.sasi1＠wipro.com 10 Jul '11

10 Jul '11

Thanks, -Arun From: Arun Sasi V (WI01 - Manage IT) Sent: Wednesday, July 06, 2011 5:46 PM To: 'openldap-technical(a)openldap.org' Subject: Multi Master OpenLdap. Hello Team, I have configured Multi-master Mirror mode replica setup in our environment. We have 3 regions slave Ldap server which is read only and two location we have configured as mirror mode replica Ldap. My problem here is... Master Ldap is going hang some times and some ID`s are disappearing from the master server. I couldn't find any logs over there for why ID`s are disappearing and also why Ldap is going hung state. Thanks & Regards, Arun Sasi V Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com

1 0

whose responsability
by Friedrich Locke 10 Jul '11

10 Jul '11

Hi, i have installed and configured openldap and so far, so good. But i have a simple doubt. Up to now, all users i have added to the ldap server have a field: userPassword: {SASL}user@domain I am connecting to retrieve the entry attributes with the following command: ldapsearch -x -w PASSWORD -D uid=user,ou=people,dc=my,dc=domain -b uid=user,ou=people,dc=my,dc=domain And everyting works ok. My doubt is: who is performing the password checking? The openldap server daemon (slapd) ou the ldapsearch ? Thanks in advance. Regards, Friedrich

2 3

selective services in an LDAP based CAS setup
by Joe Steeve 09 Jul '11

09 Jul '11

Hello all, We are using OpenLDAP to provide a common authentication back-end for mail, samba and a couple of web-applications. We want to selectively enable/disable services (mail, samba, etc.) for some users based on management policy. What is the best way to do it using LDAP? Regards, Joe -- .o. I'm a Free man. I use Free Software. ..o ooo http://www.joesteeve.org/

1 0

exact/base
by Friedrich Locke 08 Jul '11

08 Jul '11

Hi, may someone here explain me the difference between dn.exact and dn.base ? Thanks in advance.

3 4

limits
by Friedrich Locke 08 Jul '11

08 Jul '11

Hi, i have setted some limits in slapd.conf: limits dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" time=2048 size=16384 limits dn.one="ou=people,dc=ufv,dc=br" time=4 size=1 But my log shows: /etc/openldap/slapd.conf : line 80: deprecated "one" style "limits <pattern> <limits>" line; use "onelevel" instead. The error message is showed only for limits definition. My access rules uses "one" and i get no complains in the log file, why? Thanks in advance.

2 1

Simple Bind w/TLS without SASL/Kerberos possible to AD?
by David Mitton 08 Jul '11

08 Jul '11

I am trying to use OpenLDAP from an embedded Linux system to authenticate (PAM LDAP) against a Windows AD server. I must use TLS to secure this, but I would rather not use SASL or Kerberos if possible. I have been able to mock this up on a Centos system without TLS, and the PAM worked fine. When I turn on TLS, the Windows server handshakes the TLS but then has a problem with the first message. I am also working that side. I have walked through the handshake with s_client, and the connection is happy. I am now working with ldapsearch and trying things.... The first thing I notice is that it seems to try an SASL bind. Can I stop this? I'm not sure I have SASL actually installed on this system, and I'm not sure I want it in my target. Is this possible? from both the OpenLDAP client and/or Windows AD? Ideas on the correct alphabet soup to try this with ldapsearch would be appreciated. Thanks.

3 2

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical